Allow prohibited algorithms to be considered with command-line option

author: Casey Deccio <casey@deccio.net> 2021-01-08 00:46:53 +0300
committer: Casey Deccio <casey@deccio.net> 2021-01-09 03:07:33 +0300
commit: 8f4080c53cf7fe10b0a8eac59e94a796ab3d99fb (patch)
tree: 003a578cba282ae62de92f3ec0b7850e18610a64 /doc
parent: 992baacead282d4f927cdc2ac56a2ba0005e8457 (diff)
3 files changed, 24 insertions, 0 deletions
diff --git a/doc/man/dnsviz-graph.1 b/doc/man/dnsviz-graph.1
index 2e49755..6971750 100644
--- a/doc/man/dnsviz-graph.1
+++ b/doc/man/dnsviz-graph.1
@@ -93,6 +93,14 @@ unknown.  Additionally, when a zone has only DS records with unsupported digest
 algorithms, the zone is treated as "insecure", assuming the DS records are
 properly authenticated.
 .TP
+.B -b, --validate-prohibited-algs
+Validate algorithms for which validation is otherwise prohibited.  Current
+DNSSEC specification prohibits validators from validating older, weaker
+algorithms associated with DNSKEY and DS records (see RFC 8624).  If this
+option is used, then a warning will be still be issued for DNSSEC records that
+use these older algorithms, but the code will still assess their cryptographic
+status, rather than ignoring them.
+.TP
 .B -C, --enforce-cookies
 Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response
 when a query contains a COOKIE option with no server cookie or with an invalid
diff --git a/doc/man/dnsviz-grok.1 b/doc/man/dnsviz-grok.1
index c6773f7..c9a441d 100644
--- a/doc/man/dnsviz-grok.1
+++ b/doc/man/dnsviz-grok.1
@@ -89,6 +89,14 @@ unknown.  Additionally, when a zone has only DS records with unsupported digest
 algorithms, the zone is treated as "insecure", assuming the DS records are
 properly authenticated.
 .TP
+.B -b, --validate-prohibited-algs
+Validate algorithms for which validation is otherwise prohibited.  Current
+DNSSEC specification prohibits validators from validating older, weaker
+algorithms associated with DNSKEY and DS records (see RFC 8624).  If this
+option is used, then a warning will be still be issued for DNSSEC records that
+use these older algorithms, but the code will still assess their cryptographic
+status, rather than ignoring them.
+.TP
 .B -C, --enforce-cookies
 Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response
 when a query contains a COOKIE option with no server cookie or with an invalid
diff --git a/doc/man/dnsviz-print.1 b/doc/man/dnsviz-print.1
index 0499e1d..6091405 100644
--- a/doc/man/dnsviz-print.1
+++ b/doc/man/dnsviz-print.1
@@ -93,6 +93,14 @@ unknown.  Additionally, when a zone has only DS records with unsupported digest
 algorithms, the zone is treated as "insecure", assuming the DS records are
 properly authenticated.
 .TP
+.B -b, --validate-prohibited-algs
+Validate algorithms for which validation is otherwise prohibited.  Current
+DNSSEC specification prohibits validators from validating older, weaker
+algorithms associated with DNSKEY and DS records (see RFC 8624).  If this
+option is used, then a warning will be still be issued for DNSSEC records that
+use these older algorithms, but the code will still assess their cryptographic
+status, rather than ignoring them.
+.TP
 .B -C, --enforce-cookies
 Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response
 when a query contains a COOKIE option with no server cookie or with an invalid
author	Casey Deccio <casey@deccio.net>	2021-01-08 00:46:53 +0300
committer	Casey Deccio <casey@deccio.net>	2021-01-09 03:07:33 +0300
commit	8f4080c53cf7fe10b0a8eac59e94a796ab3d99fb (patch)
tree	003a578cba282ae62de92f3ec0b7850e18610a64 /doc
parent	992baacead282d4f927cdc2ac56a2ba0005e8457 (diff)